ARTICLE 29 DATA PROTECTION WORKING PARTY
14/EN WP 229
COOKIE SWEEP COMBINED ANALYSIS – REPORT
Adopted on 3 February 2015
This Working Party was set up under Article 29 of Directive 95/46/EC. It is an independent European advisory body on data protection and privacy. Its tasks are described in Article 30 of Directive 95/46/EC and Article 15 of Directive 2002/58/EC. The secretariat is provided by Directorate C (Fundamental Rights and Union Citizenship) of the European Commission, Directorate-General for Justice and Consumers, B-1049 Brussels, Belgium, Office No MO-59 02/013. Website: http://ec.europa.eu/justice/data-protection/index_en.htm
1. Executive summary The Article 29 Working Party in partnership with national regulators with responsibility for enforcing Article 5(3) of the ePrivacy Directive 2002/58/EC, as amended by 2009/136/EC, conducted a sweep of up to 478 websites in the e-commerce, media and public sectors across 8 member states. The sweep highlighted differences in the use of cookies across different target sectors and between the individual member states. The sweep also highlighted areas for improvement including a few cookies with duration periods of up nearly 8000 years. This is in contrast to an average duration of 1 to 2 years. The sweep however also showed that 70% of the 16555 cookies recorded were third-party cookies. It was also shown that more than half of the third-party cookies were set by just 25 third-party domains. The sweep also showed that a notification banner was a popular method of informing website visitors regarding the use of cookies in addition to a link in the header or footer to more information. However, there are still a number of sites which do not provide sufficient notification that cookies are being set, do not seek consent from the user, or provide a sufficient quality of cookie information to website visitors. 2. Introduction In order to assess the current state of steps taken by website operators to ensure compliance with Article 5(3) of Directive 2002/58/EC, as amended by 2009/136/EC, the Article 29 Working Party (WP29) proposed to conduct a sweep of websites used by to European citizens. The sweep aimed to inform WP29 of the current usage of cookies and likely state of compliance with Article 5(3) across the EU in a range of specific sectors and areas of highest concern in order to inform policy engagement, discussions with stakeholders and provide a basis for any coordinated enforcement activity that may be required. The sweep included both Data Protection Authorities and other National Regulators which have the responsibilities for enforcing Article 5(3) of the ePrivacy Directive. 3. Sweep participants The following organisations took part in the cookie sweep: Czech Republic – Úřad pro ochranu osobních údajů Denmark – Erhvervsstyrelsen France – Commission nationale de l'informatique et des libertés Greece – Hellenic Data Protection Authority Netherlands – Authority for Consumers & Markets Slovenia – Informacijski pooblaščenec Republike Slovenije Spain – Agencia Española de Protección de Datos United Kingdom – Information Commissioner’s Office
2
4. Methodology The cookie sweep comprised of two stages. The first was a statistical review of cookies used by websites and their technical properties. The second comprised of a more in-depth manual review of cookie information and consent mechanisms. In this sweep all cookies were counted and considered equally. Those cookies which qualify for a valid exemption for the consent requirement were not specifically identified. Whilst these cookies will be in the minority the requirement for information about their usage will remain. 4.1. Target sites Target sectors were selected as those which were considered by the WP29 to present the greatest data protection and privacy risks to EU citizens. The target sectors chosen were media, e-commerce and the public sector. Target web sites were selected as amongst the 250 most frequently visited1 by individuals within each member state taking part in the sweep. In order to remove potential duplication, websites of organisations which were not firmly established within a member state taking part in the sweep were suggested to be excluded. Where possible the same target site list was used for both the automated and manual sweep although slight differences were experienced (such as one site redirecting to another already included within the target site list or resource limitations reduced the level of detail an investigator could devote to the sweep). 4.2. Automated sweep A Python script interfacing with Selenium Python bindings2 was written by the UK’s Information Commissioner’s Office and circulated to sweep participants. The sweep script was run from a new installation of Ubuntu 12.04 LTS. A new user profile with the default settings of the Firefox web browser3 was used for each URL visit. Cookies were extracted using a slightly modified version of the “Get all Cookies in XML”4 Firefox extension and saved to a log file for later analysis. The curated list of URLs for the home page of the target sites was passed to the automated sweep script. Cookies set only on the first page visited (or if redirected by the target site) were saved for analysis. No further website crawling was conducted. 4.3. Manual sweep This comprised of a manual visit to the URL of the target site in order to record the steps taken by the site to inform users that cookies were in use and steps taken to obtain consent. 1
As reported by http://www.alexa.com http://docs.seleniumhq.org/ 3 i.e. accept all cookies, DNT unset and JavaScript enabled 4 https://addons.mozilla.org/en-US/firefox/addon/get-all-cookies-in-xml/ 2
3
Features such as the notification mechanism used, visibility and quality of further cookies information provided and the type of tool used to allow a user to express consent was recorded. The manual sweep in itself is not an assessment of compliance and the lack of a particular compliance feature would not necessarily show cause for concern as the purpose of recording these features is to inform regarding the landscape of steps taken towards compliance. Furthermore, an assessment of the accuracy of cookie information or the effectiveness of a particular user control tool was out of scope of the sweep. 5. Results 5.1. Automated sweep This section focuses on the results of the automated sweep. It should therefore be regarded simply as a statement of the number of cookies set by the target sites and their technical properties. 5.1.1. Number of sites by country and sector A total of 478 sites were swept by 8 member states between 15-19 September 2014. Country
e-commerce
Media
Public
Total
CZ
24
16
9
49
DK
24
21
10
55
ES
32
24
9
65
FR
42
36
5
95
GR
14
11
4
29
NL
20
37
2
59
SI
19
12
11
42
UK
60
17
7
84
Total
478
Table 1: A breakdown of sites visited during the automated sweep by each participant
4
5.1.2. Cookies set by country and sector A total of 16555 cookies were set by all 478 sites. This gives an average of 34.6 cookies per site. Country
e-commerce
Media
Public
Total
CZ
475
707
86
1268
DK
499
1582
117
2198
ES
933
1420
51
2404
FR
1286
2642
194
4238
GR
228
174
12
414
NL
517
1561
11
2089
SI
153
64
16
233
UK
2250
1413
48
3711
Total
16555
Table 2: A breakdown of the cookies set by websites during the automated sweep
The table below shows the average number of cookies set by each sector type per country. Country
e-commerce
Media
Public
Mean
CZ
19.8
44.2
9.6
25.9
DK
20.8
75.3
11.7
40.0
ES
29.2
59.2
5.7
37.0
FR
30.6
73.3
38.8
n/a
GR
16.3
15.8
3.0
14.3
NL
25.9
42.2
5.5
35.4
SI
8.1
5.3
1.5
5.5
UK
37.5
83.1
6.9
44.2
Mean
23.5
49.8
10.3
28.9
Table 3: The average number of cookies set by websites within each sector and country which participated within the automated sweep
5
5.1.3. Total first party and third party cookies by country A total of 4901 first-party cookies and 11654 third-party cookies were set across the 478 sites. This gives an average of 10.3 first-party cookies and 24.4 third-party cookies per site. Country
First-party
Third-party
Total
CZ
447
821
1268
DK
512
1686
2198
ES
664
1740
2404
FR
1056
3182
4238
GR
218
169
414
NL
607
1482
2089
SI
152
81
233
UK
1245
2466
3711
Total
4901
11654
16555
Table 4: A breakdown of cookies set by websites according to party and country
Country First-party Third-party Total CZ 35.25% 64.75% 100.00% DK 23.29% 76.71% 100.00% ES 27.62% 72.38% 100.00% FR 24.92% 75.08% 100.00% GR 52.66% 47.34% 100.00% NL 29.06% 70.94% 100.00% SI 65.24% 34.76% 100.00% UK 33.55% 66.45% 100.00% Total 29.60% 70.39% 100.00% Table 5: The ratio of first and third party cookies set by sites according to the country participating in the sweep
6
Figure 1: The ratio of first and third party cookies set by sites according to the country participating in the sweep
5.1.4. Total session and persistent cookies by country A total of 2302 session cookies and 14253 persistent cookies were set across the 478 sites. This gives an average of 4.8 session cookies and 29.8 persistent third-party cookies per site. CZ reports the highest ratio of persistent to session cookies with other member states usage of session cookies being within the range 10-20% of all cookies. Country
Session
Persistent
Total
CZ
124
1144
1268
DK
237
1961
2198
ES
402
2002
2404
FR
519
3719
4238
GR
73
341
414
NL
287
1802
2089
SI
46
187
233
UK
614
3097
3711
2302
14253
16555
Total
Table 6: A breakdown of session and persistent cookies set by websites during the automated sweep
7
Country Session Persistent Total CZ 9.78% 90.22% 100.00% DK 10.78% 89.22% 100.00% ES 16.72% 83.28% 100.00% FR 12.25% 87.75% 100.00% GR 17.63% 82.37% 100.00% NL 13.74% 86.26% 100.00% SI 19.74% 80.26% 100.00% UK 16.55% 83.45% 100.00% Total 13.91% 86.09% 100.00% Table 7: The ratio of session to persistent cookies set by websites during the automated sweep
Figure 2: The ratio of session to persistent cookies set by websites during the automated sweep
5.1.5. Total first party and third party cookies by sector Media websites showed a more prevalent use of third-party cookies as compared to the public and e-commerce. Public sites showed the most prevalent use of first-party cookies. Sector First-party Third-party Total e-commerce 2160 2895 5055 Media 1457 5464 6921 Public 228 113 341 Total 3845 8472 12317 Table 8: A breakdown of first and third party cookies by sector set by sites during the automated sweep
8
Sector First-party Third-party Total e-commerce 42.73% 57.27% 100.00% Media 21.05% 78.95% 100.00% Public 66.86% 33.14% 100.00% Total 31.22% 68.78% 100.00% Table 9: The ratio of first and third party cookies by sector set by sites during the automated sweep
5.1.6. Total session and persistent cookies by sector Media sites showed the most prevalent use of persistent cookies as compared to the public and e-commerce. Public sites showed the most prevalent use of session cookies. Sector Session cookie Persistent cookie Total e-commerce 964 4091 5055 Media 719 6202 6921 Public 100 241 341 Total 1783 10534 12317 Table 10: A breakdown of session and persistent cookies by sector set by sites during the automated sweep
Sector Session cookie Persistent cookie Total 19.07% 80.93% 100.00% e-commerce 10.39% 89.61% 100.00% Media 29.33% 70.67% 100.00% Public 14.48% 85.52% 100.00% Total Table 11: The ratio of session and persistent cookies by sector set by sites during the automated sweep
9
5.1.7. Cookie usage by site 5.1.7.1.
Sites setting more than 100 cookies
22 sites set more than 100 cookies (both first and third-party). Site country Site sector First-party Third-party Total media DK 12 247 259 media UK 23 202 225 media CZ 16 190 206 media DK 13 186 199 media DK 9 189 198 e-commerce ES 30 168 198 media UK 10 154 164 e-commerce UK 28 120 148 media UK 20 121 141 media ES 8 131 139 media DK 17 122 139 media NL 9 129 138 media DK 14 124 138 media UK 15 122 137 media UK 15 121 136 e-commerce UK 38 87 125 e-commerce UK 31 93 124 e-commerce UK 17 103 120 media ES 14 104 118 media UK 22 82 104 e-commerce DK 19 84 103 media ES 16 85 101 Table 12: A list of those sites which set more than 100 cookies during the automated sweep
Of these sites, all provided at least a link in the header or footer to further cookie information. 9 provided a permanent banner, 3 used a banner which disappeared on the next user click and 5 provided a banner which disappeared after a set period of time.
10
5.1.7.2.
Sites setting only first party cookies
74 sites set only first party cookies (session and persistent). Country
e-commerce
Media
Public
Total
CZ
3
5
8
DK
4
7
11
ES
7
4
11
FR
7
GR
2
NL
3
SI
9
UK
8
Total
7
43
4
6
1
2
6
1
11
21
3
11
36
81
2
Table 13: A summary of sites which set only first party cookies during the automated sweep
5.1.7.3.
Sites setting only session cookies
15 sites set only session cookies (first and third-party). Site country Site sector Number of session cookies CZ Public 1 NL Public 1 DK Public 1 SI Media 1 SI Public 1 SI Public 2 DK Public 1 SI Public 1 UK e-Commerce 8 SI Public 2 SI Public 1 SI Public 2 SI Public 1 SI Public 1 SI Public 1 Table 14: A summary of sites which set only session cookies during the automated sweep
11
5.1.8. Cookie duration 5.1.8.1.
Duration of first-party cookies
3 first-party cookies were set by 3 sites with a duration of 7985 years (expiry 31/12/9999 23:59). Country Sector Expires UK media 31/12/9999 23:59 DK media 31/12/9999 23:59 DK e-commerce 31/12/9999 23:59 Table 15: A summary of the cookies set by sites with the expiry of 31 December 9999
17 first-party cookies were set by 15 different sites with a duration >100 years. Country
Sector
Expires
Duration (years5)
UK
media
31/12/9999 23:59
7991
DK
media
31/12/9999 23:59
7991
DK
e-commerce
31/12/9999 23:59
7991
UK
e-commerce
12/08/4752 11:43
2740
ES
media
23/01/3014 07:55
1000
ES
media
23/01/3014 08:05
1000
ES
media
23/01/3014 07:55
1000
UK
e-commerce
30/01/2836 11:50
822
UK
e-commerce
07/02/2585 19:42
571
UK
media
21/09/2462 11:40
448
UK
media
21/09/2462 11:40
448
ES
media
09/05/2246 07:58
232
ES
media
09/05/2246 08:04
232
GR
media
11/08/2164 03:49
150
GR
media
11/08/2164 03:49
150
UK
e-commerce
16/09/2114 00:00
100
CZ
e-commerce
24/08/2114 08:36
100
Table 16: A summary of the first-party cookies set by sites in the automated sweep with a duration of greater than 100 years 5
1 year calculated as 365 days
12
The average duration of first-party persistent cookies was 14.34 years. Excluding cookies with duration >100 years, this reduces to 2.05 years. Only 1 of these sites displayed no cookie information at all. Seven sites displayed a link in just the header or footer with the remaining sites opting to use a notification banner to inform users (4 permanent, 6 temporary).
13
5.1.8.2.
Duration of third-party cookies
27 third-party cookies were set by 15 different first-party sites (5 third-party sites) with a duration >68 years. 243 (2%) third-party cookies were set with a duration >10 years. Country
Duration (years6)
Sector
FR
media
7985
FR
media
2738
ES
media
FR
media
100 100
FR
media
CZ
e-commerce
99
CZ
media
68
CZ
media
68
DK
e-commerce
68
DK
e-commerce
68
DK
media
68
DK
media
68
ES
media
68
FR
media
68
FR
media
68
FR
media
68
FR
media
68
FR
media
68
FR
media
68
FR
media
68
NL
media
68
UK
e-commerce
68
UK
media
68
UK
media
68
UK
media
68
UK
media
68
100
UK media 68 Table 17: A summary of the third-party cookies set by sites in the automate sweep with a duration of 68 years
The average duration of third-party persistent cookies was 1.77 years. Excluding cookies with duration >68 years, this reduces to 1.33 years. 6
1 year calculated as 365 days
14
Only 1 of these sites displayed no cookie information at all. Four provided only a link in the header or footer with the remainder opting to use a banner to information users. Four sites used a permanent banner, 3 a temporary banner which disappeared on the next user click and 2 used a timed banner. 5.1.8.3.
Distribution of first and third party cookies by duration
Figure 3: A summary of the duration of cookies set by all sites in the automated sweep
5.1.9. Third-parties 415 domains set 8472 third-party cookies across the 478 sites swept. On average each site swept resulted in 27.6 third-party cookies from 10.7 third party domains. 25 third-party domains set cookies on >30 sites. On average, each third-party domain set 20.4 cookies on each site where it was used as a third-party. These 25 third-party domains set a total of 4542 cookies which represents 53.1% of all third-party cookies. The major business activity of these third-party domains are involved in third-party advertising.
15
Site Count sites Total number of cookies set doubleclick.net 213 247 adnxs.com 114 320 scorecardresearch.com 98 198 rubiconproject.com 80 903 yahoo.com 64 167 gemius.pl 61 112 360yield.com 59 282 twitter.com 59 83 turn.com 58 133 adform.net 56 252 mathtag.com 52 177 mookie1.com 52 167 adtech.de 51 124 pubmatic.com 50 176 openx.net 47 49 google.com 46 49 serving-sys.com 44 183 criteo.com 43 140 adformdsp.net 38 77 smartadserver.com 37 153 casalemedia.com 36 213 adscale.de 34 124 atemda.com 33 148 abmr.net 33 33 254a.com 30 32 Table 18: A summary of the third-party domains which set cookies of more than 30 of the sits visited in the automated sweep
5.2. Manual sweep 5.2.1. Zero cookie sites 7 sites were observed during the manual sweep that did not set any cookies. These sites were in CZ (2), ES (1), GR (2) and NL (2). 5.2.2. Number of sites by country and sector A total of 437 sites were manually inspected by 7 member states between 15-19 September 2014 and the results pooled for analysis. Due to resource constraints not all features of CZ sites were fully inspected.
16
Country
e-commerce
Media
Public
Total
CZ
24
16
9
49
DK
22
20
10
52
ES
32
24
9
65
FR
49
45
8
102
GR
14
11
4
29
NL
20
37
2
59
UK
58
16
7
81
Total
437
Table 19: A summary of the number of sites inspected during the manual sweep
5.2.3. Notification method7 Sector
Modal dialog8
Permanent banner 9
Temporar y banner10
Timed banner11
Heater or Footer12
No notification13
e-commerce
6
51
72
8
155
54
Media
5
63
42
6
131
35
Public
0
13
6
0
28
27
Total
11
127
120
14
201
116
Table 20: A summary of the notification method used by sites in the manual sweep
The most common notification method is to use a type of banner (59%) or with a link in the header or footer (39%), or both. There were 116 (26%) sites which showed no notification of any kind on the first page visited during the sweep. Of the 116 sites which showed no notification information, 37 were swept
7
Notification method is not mutually exclusive (i.e. a site could use both a link in the header/footer and a banner). 8 A dialog box which is displayed on screen which the user must read before continuing to the site 9 A banner which is displayed until the user clicks within the banner to indicate consent 10 A banner which is displayed until the user clicks anywhere on the page (e.g. to move to a second page) 11 A banner which is displayed for a set amount of time regardless of the user taking any action 12 Cookie information is given in a page linked to from header or footer 13 No cookie information is given on the site
17
by the Czech Republic. In total this represented 76% of the sites swept by Czech Republic which did not provide any cookie notification on the first page visited. Country
e-commerce
Media
Public
% of sites swept
Total
CZ
19
9
9
37
76%
DK
7
3
3
13
25%
ES
2
0
6
8
12%
FR
14
11
7
32
31%
GR
5
2
2
9
31%
NL
2
10
0
12
20%
UK
5
0
0
5
6%
54
35
27
116
26%
Total
Table 21: A summary of the sites, by sector and country, which showed no cookies notification method
Of those sites that did provide a notification it was considered that it was not sufficiently visible, or visibility could be improved in 39% of cases in order for the user to be able to make an informed choice regarding the use of cookies. 5.2.4. Information provided The cookie information provided on 404 sites was inspected in greater detail. In 173 (57%) cases, it was considered that site provided an appropriate level of information regarding the types of cookies used. Therefore 43% of sites do not provide sufficient information regarding the types or purposes of cookie usage. The information on 204 (50%) sites inspected requested consent from the user to store cookies. The remaining 200 (50%) use language such as “we use cookies”, “cookies are being set” or similar. 5.2.5. User control A minority of sites (49 sites, 16%) inspected offered a granular level of control where the user is offered a choice of accepting or declining certain types of cookies. The remaining sites require the user to review the browser settings to control cookie usage.
18
6. Conclusions It is important to recall that the results of the both the automated scan and the manual review are not an assessment of cookie compliance but an assessment of the extent of the use of cookies, level of information provided and a review of control mechanisms in place. The accuracy of information provided was not assessed as part of the manual review nor was the effectiveness of any control mechanism. Furthermore, a website which does not offer the full range of control mechanisms would not immediately be deemed non-compliant with a national interpretation of Article 5(3). It is clear from the results that a large number of target sites set at least 1 cookie. Only 7 sites were seen in the manual review which did not set any cookies. If a user had set their browser controls to not accept third-party cookies and visited the same sites then 70% of the cookies recorded would not have been set (11654/16555). There is a variation in the use of cookies across websites both within and between sectors and across member states. For example, some e-commerce sites used only first-party cookies and some media sites used high numbers or third-party cookies. Target sites in Slovenia set consistently fewer cookies in all target sectors. Media sites in Denmark, France and the UK set, on average, a higher number of cookies as compared to others in the same sector. Target sites in Slovenia and Greece also showed usage of a higher proportion of first-party cookies as compared to sites in other member states. Public sector sites set, on average, the fewest cookies and these contained the highest proportion of first party cookies. Media sites set, on average, the highest number of cookies. Media sites also contained the highest proportion of third-party cookies as compared to other sectors. It was also shown that some e-commerce and media sites did not use any third-party cookies. Media sites set the highest proportion of persistent cookies as compared to other sectors. Public sites set a higher proportion of session cookies. Some first and third party cookies appear to have an extremely long duration. Cookies with an expiry set to 31/12/9999 23:59 (the maximum possible value) could be regarded as not having a reasoned retention schedule defined. Excluding cookies with a long duration (greater than 100 years) the average duration was between 1 and 2 years. This could be a useful starting point for a discussion regarding an acceptable maximum duration, although the purpose of the cookie will also need to be taken into account. The distribution of the duration of first party cookies is slightly skewed towards shortduration cookies (less than 60 minutes), when compared with the distribution of third party cookies. Third-party persistent cookies showed a lower average duration as compared to firstparty persistent cookies. This might be due to self-regulatory advertising industry guidelines.
19
Considering the notification and information provided 26% of sites did not provide any notification that cookies were in use, with 75% of these being swept by the Czech Republic. The UK reports a low 6% of sites (all classed as e-commerce) with no cookie notification. The quality of information provided was variable with more than half (54%) of sites not requesting consent from the user, merely informing that cookies were in use. Whilst it was encouraging to see that some sites are offering a high degree of user control regarding certain types and categories of cookies, only 16% of sites offered such a tool. The majority relied on browser settings or an opt-out tool provided on a third-party site (a thirdparty advertising site, for example). Amongst those sites which set the highest number of cookies most had taken some steps to inform users about the use of cookie through a banner which was either permanent (requiring an active click from the user within the banner to disappear), a banner which disappears on the next user click anywhere on the page or timed to disappear after a certain length of time.
20